[arin-ppml] [EXT] Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

Jimmy Hess mysidia at gmail.com
Mon May 6 16:21:44 EDT 2019

On Mon, May 6, 2019 at 2:04 PM Owen DeLong <owen at delong.com> wrote:

> To reduce this to one, you first need to identify an organization that can be
> Trusted with that authority, literally the ability to revoke the valid status of
> every route on the internet (or at least every route that has a corresponding
> ROA in the RPKI system.
> Who do you nominate for that function?

I would suggest making an expiration date 15 years forward as the sole
mechanism:  declining to implement the processing of real-time
revocation down to
RIR CAs by utilizing issuance policies where no CRL, OCSP, or other
URLs would be specified for certificates listed for production issued
to RIR CA,
or root RPKI CA, or RPKI intermediary certificates.

Or at least have that the  URLs given for distribution URLs should be URLs on
hostnames RIRs  control,  from which any CRLs are listed.

The requirement for revocation of one of the small number of RIR-level
cert or parent
should be so rare,  that it can be made a process where operators would need to
manually download the CRL if required (that should be set to never
expire) and apply it to their own routers.

This is a case where you need routers already up and running with announcements
accepted, before the  connectivity required to check certificate revocations  by
fetching status from OCSP or CRL distribution points should even exist.


More information about the ARIN-PPML mailing list